There was a two hour debate in the House of Lords this evening on a Lords’ Select Committee report on protecting Europe against large-scale cyber-attacks.

My contribution (which followed an excellent maiden speech from Lord John Reid) was as follows:

“My Lords, it is an enormous pleasure to follow my noble friend Lord Reid of Cardowan and his maiden speech, in the course of which he paid a very graceful tribute to his successor as Member of Parliament. He told us that she had already attained the ripe old age of 25. I am informed that the noble Lord started his political career some considerable period earlier than 25. I am told, in fact, that he led his first strike at the age of about 14 and a half when he was still at school and was objecting to the practice of the fairly disciplinarian head teacher that the children should be kept outside, irrespective of the weather, until the school started. He called a strike of his fellow pupils on the basis that, if they were not allowed in until nine o’clock, they would not go in after nine o’clock. My understanding is that he was successful in that, which demonstrates a robustness and forceful nature, which we have seen in this afternoon’s speech. However, we have also seen the noble Lord’s other side—his erudite and thoughtful nature. I understand that it is that side that comes in particularly useful in his latter-day role as chairman of Celtic Football Club, where erudition and thoughtfulness is particularly important.

The noble Lord has had 10 years in very senior roles as a member of Her Majesty’s Government. He was in the last Government what I think should be described as a “big beast”, with the emphasis on some occasions on the word “beast”. I worked closely with him in a number of those roles, in particular in his time at the Home Office. One of the achievements of that period is a lasting one: the creation of the Office for Security and Counter-Terrorism. This country will learn to realise how significant and important it has been, and that is down to my noble friend. His contribution today has demonstrated the qualities of robustness and erudition that we will all expect to hear much more of in the time ahead. We do indeed look forward to many further contributions of a similar nature.

I am grateful to the noble Lord, Lord Jopling, for his introduction of the report and his work, and the work of his colleagues, in pulling together the report which we have had. It is a very important Select Committee report, and I had the privilege of sitting in on a couple of the evidence sessions to hear the discussion. As the noble Lord pointed out, we are having quite a timely debate following the reported comments of the director of GCHQ in the past few days. He has talked about the significant level of attacks on government systems, many of them precisely and deliberately targeted at those systems. The debate is unfortunately not quite as timely as it might be in that we do not yet have the benefits of the results of the security and defence review or the comprehensive spending review. We will have to wait a few more days for those. However, I hope that that fact of timing will not prevent the Minister from providing us with some more information on how the Government’s thinking on these matters is developing.

I have high hopes for the noble Baroness, Lady Neville-Jones, because I am aware of her continued personal interest in matters of cybersecurity and information assurance. I have attended so many meetings over the past few years which she has been at, and which have discussed these matters, that I know that she takes these matters extremely seriously. That includes, for example, her chairing for a period the Information Assurance Advisory Council, which brought—and continues to bring—together industry, academia and government to talk about these matters. We have high expectations of the Minister in what is going to be done in this field over the months and years to come, and I am sure that she will not disappoint us today in her response to this debate.

It is important that we recognise several elements in the issues around cyberattacks and the matters which this report has covered. A few years ago, a lot of these matters were dismissed as the actions of teenage cyberjuvenile delinquents who were merely interested in getting into systems because they were there and, perhaps, in gaining some element of self-respect by leaving their mark on those systems, proving that they had been there—a sort of petty vandalism, expressed in the cyberworld as opposed to the physical world that other juvenile delinquents might be engaged in. Yet we have to recognise that those juvenile delinquents have grown up. Some have grown out of those issues, but others have started their own criminal enterprises; some have been bought up by much more organised and serious criminal enterprises; some have, no doubt, become fundamentalist in their religious views; others are being employed by nation states. We have to recognise the scale and effectiveness of the targeting that can now be done.

We therefore have not only the continued action and vandalism of the juvenile delinquents but the issues around cyberactivism, of people trying to make a political or other point by mass cyberaction. We have small-scale crime, but more significantly we have an enormous wave of organised crime using the techniques that are now possible through the internet. That is now having an effect. We also have otherwise respectable businesses making use of these criminal techniques to inform themselves of their competitors’ activities and, indeed, trying to obtain intellectual property. Then we have state-sponsored activity, some of it at the commercial end but some of it much more about creating the opportunity to attack other nation states if that is necessary. The noble Lord, Lord Jopling, has talked about what happened to Estonia, and numerous incidents are now reported of what are perceived as being—although this is not necessarily the case—attacks sponsored by one nation state against another in this sphere. We have yet to see a serous terrorist act perpetrated through these means, but it is only a matter of time before terrorists also make use of these techniques as an adjunct, as part or as the main focus of their attack.

We therefore have to examine the issues raised by this report in a number of ways. First, while they might not quite meet the definition that the noble Lord, Lord Jopling, gave of a cyberattack, the activities of serious and organised criminality in terms of fraud and all the things that it is trying to do are of such a scale that Governments—national, Europe-wide and worldwide—should be taking them seriously and acting on them.

Secondly, we have to look at the scale of what is happening in terms of corporate raiders, intellectual property theft and the potential for industrial disruption. Again, some of this is by organised crime, but my understanding is that a significant proportion of that is carried out by nation states or at their behest.

Thirdly, and this is particularly important in terms of the responsibilities of our Government and the Minister, there are issues around the attacks on, and the vulnerability of, our own critical national infrastructure. Some of those attacks on government systems are about espionage, but some of them are about creating the potential for disruption.

I have a number of questions or issues that I hope the Minister will be able to respond to. The first relates to the sheer volume of criminality and whether as a nation we are equipping ourselves to keep up with those who are trying to defraud our citizens or otherwise cause problems. There has been a history of law-enforcement initiatives taken in this field. The National Hi-Tech Crime Unit, which was very successful, appeared to disappear when its responsibilities were taken over by the Serious Organised Crime Agency, so much so that the police had to set up a new unit, the Police Central E-Crime Unit—I declare an interest as someone who has been closely involved in that, as a member of both the Metropolitan Police Authority and the ACPO board that oversees it—which has had a series of successes, like the arrests a few months ago of the five men and one woman engaged in stealing the details of more than 10,000 bank accounts and allegedly netting themselves more than £3 million as a consequence. That unit, working with the private sector and levering in resources from it, has been remarkably successful, but it is still new and fairly fragile.

I understand that there are rumours that this unit should be subsumed into the proposed new national crime agency. I have no objection to the new agency, once it is established, maybe taking on this responsibility; it must certainly have a capacity to deal with these matters. My concern is that if we move too quickly to that process, the idea of subsuming a body that is only just beginning to work into a new body that will be going through its own birthing pains is not necessarily sensible. We have had evidence from the outgoing chief executive of the Child Exploitation and Online Protection Centre about the fragility of those structures and the private sector funding of them. He suggested that Microsoft may propose to withdraw the resources that it puts into CEOP because of the uncertainty about its future. I hope that the Minister will give us some assurances today about the continued budget to enable the police to play their role in fighting e-crime, that we will not see the fragile new arrangements subsumed too early into a national crime agency and that there will at least be time for any national crime agency to be established, and to establish itself, before such a change takes place—if that is what happens.

The second issue was referred to by the noble Lord, Lord Jopling, when he talked about the so-called Stuxnet attacks on the control systems of the Iranian nuclear power programme. I have been concerned, as have several noble Lords and others, about the vulnerability of SCADA systems to attack. Is the noble Baroness personally satisfied that enough is being done at present to protect such control systems for our critical national infrastructure, against both the sort of electronic attack that the Stuxnet attack seems to have been and the electromagnetic pulse attacks that the noble Lord, Lord Reid, referred to? He made the valid point that exploding a nuclear device might be rather a visible way of producing an electromagnetic pulse. However, there are regular cycles of sunspot activity that could produce the same sort of effects. The issue of protection remains, whether it is an external attack, a natural event or something triggered electronically.

I would also like the noble Baroness to tell us whether enough is being done to protect the intellectual property of the United Kingdom against electronic attacks. In this context, is she satisfied that the major contractors that provide services to government departments are themselves adequately protected against this sort of penetration? I have heard stories about some of those major contractors being heavily penetrated in possibly state-sponsored incidents. If that is the case it is extremely serious. It is important that the noble Baroness should give us her assurance as to what can be done.

Finally, I hope the noble Baroness will give us, in the course of her remarks, a route map that tells us who is in charge of the various key elements of this matter. Who is in charge of setting the standards of security for our critical national infrastructure? Who is responsible for attributing where attacks are coming from? Who is responsible for managing resilience and recovery, should an attack take place? Who is responsible, if necessary, for retaliation or taking out those who are carrying out these attacks?”

The Metropolitan Police Commissioner, Sir Paul Stephenson, has issued an important reminder about specialist policing in an article in today’s Sunday Telegraph.  In it he highlights the valuable work of the Central e-Crime Unit based in the Metropolitan Police, saying:

“Four criminals obtained the personal financial details of hundreds of people, allowing them to identify up to £8 million they could steal. They siphoned off £750,000 from 64 victims before police arrested them.

As my previous post reported, there is jus a little uncertainty about what the detailed outcome will be of the Shadow Cabinet elections that are about to take place. However, I have spoken to a large number of delegates today about how they would like the top few jobs distributed.
There was unanimity that people want to see David Miliband remain in the Shadow Cabinet and after much discussion the following consensus emerged on the ideal line-up.
And here are the top four posts:
Shadow Foreign Secretary – David Miliband;
Shadow Chancellor – Yvette Cooper;
Shadow Home Secretary – Ed Balls;
Shadow Costitutional Affairs (opposite Nick Clegg) – Alan Johnson.

I have already speculated that:

“David Cameron personally has been convinced that the comprehensive spending review must ensure that substantial extra resources are spent on developing the UK’s capacity to counter cyber threats to its infrastructure and that the debate between the Treasury and the Cabinet Office is whether the new investment should be £1.5 billion or £2 billion.”

Now The Register reports:

“An awkwardly-worded reply by Defence Secretary Liam Fox to questions in the House of Commons suggests that cuts in information security spending are not on the agenda for the Strategic Defence and Security Review (SDSR), which is due to report back in the Autumn. On the contrary, Britain is looking to boost its capabilities in the area.

Cyber-security is an important element of the SDSR and has already had considerable consideration. Decisions on enhancing our capabilities will form part of the review, which we will announce to the House later this autumn.

Developing a military cyber-security policy should not be the responsibility of the Ministry of Defence alone, Fox added.

Investing in better cyber-security will not be an option for the United Kingdom. What is being considered under the National Security Council as part of the SDSR is how that occurs. We will face increasing threats in cyberspace in the years ahead-the question is how we identify the weakest areas, which need to be looked at first, and how we develop the technologies so that, as the other technologies that might affect us continue to evolve, we are best protected. That will require us to look at research across the board.

The exchange, which occurred during defence questions in the House of Commons on Monday, is recorded for posterity by Hansard here.”

It is, of course, possible that Liam Fox was speaking “off-piste” or was simply “mis-speaking“.

However,  the topic was on the agenda of a recent meeting of the National Security Council – so this may be the best indication yet as to what is emerging from this aspect of the Strategic Defence and Security Review.

We will know soon enough.

My default position is that the new Coalition Government is hell-bent on creating a double-dip recession and on dismantling vital parts of the public sector, is ideologically-driven and is cavalier about the impact of its policies on disadvantaged communities. And I remain to be convinced that it is not taking unacceptable risks with national security.
So the stories I have been hearing about the willingness of the Government to invest in the nation’s cyber-security come as an unexpected, but pleasant, surprise.
I am told that David Cameron personally has been convinced that the comprehensive spending review must ensure that substantial extra resources are spent on developing the UK’s capacity to counter cyber threats to its infrastructure and that the debate between the Treasury and the Cabinet Office is whether the new investment should be £1.5 billion or £2 billion.
This of course is still far less than many other countries are investing. However, if my informants are correct, this would be a useful step in the right direction. Seeing will be believing. And we’ll see on 20th October.

The perils/dangers of USB sticks are highlighted by two news stories in the last few days.

First, Greater Manchester Police have been embarrassed by an unencrypted USB stick that was “found lying in the street” which the public spirited citizen who “found” it passed on to the responsible authorities (aka The Daily Star on Sunday).  Apparently, the USB stick contained “2,000 pages of highly-sensitive and confidential information” including material “on countering the threat of terrorism on British streets include strategies for acid and petrol bomb attacks, blast control training and the use of batons and shields.”  

Of course, it is entirely natural that, if you find something outside a police station, emblazoned with the logo of Greater Manchester Police, the first thing you do is take it home and plug it into your laptop.  And then when you realise how sensitive it is you decide not to return it to the Police but give it to a tabloid newspaper.  This public-spirited citizen was so confident of the correctness of his actions that he “asked the Daily Star Sunday to withhold his identity ­because he feared reprisals”.

Meanwhile in India, the Times of India reports:

“Even as Chinese and Pakistani online espionage agents continue their attempts to hack into Indian computer systems, hostile intelligence agencies are also trying to steal defence secrets through use of computer storage media (CSM) devices like pen drives, removable hard disks, CDs, VCDs and the like.

The Intelligence Bureau has sounded a red alert about “intelligence officers of a hostile country” encouraging their “assets” working in Indian defence establishments to use CSM devices to pilfer classified information from computer networks.”

It looks as though the Chinese and Pakistani intelligence agencies are wasting a lot of effort – all they need is to get a few Mancunian businessmen and the Daily Star onside and they will have all the information they need …

The latest journal from the Royal United Services Institute contains a perceptive article, entitled “Terrorism: The New Wave“, which was widely reported last Friday.

It follows concerns I raised in the House of Lords last month:

“Lord Harris of Haringey: My Lords, what is the rate of conversion to Islam within prisons and what steps are the Prison Service taking in terms of monitoring radicalisation and external speakers who come into prisons?

Lord McNally: I do not have precise figures on conversions, but I know the background to this question of whether or not there is radical Islamisation in prisons. The studies that I have been shown reveal no conclusive evidence of this, although there are examples which give rise to concern. The staff and the wider Prison Service keep a close eye on imams in prisons. Bringing them in to lecture, preach and minister within prisons has been one of the benefits, but we must make sure that it is a positive influence, as the noble Lord suggested.”

The RUSI study warns that one of the key threats from this next generation of terrorists comes from within the ranks of the 8,000 Muslims currently serving prison terms who are at risk of being converted to extremism by hardcore inmates jailed for terrorist offences.

The report cites estimates by prison probation officers that up to one in 10 Muslim inmates are being successfully targeted while inside jail, leading to the creation of a new generation of potential attackers who are due for release in the next decade and whose previous convictions do not relate to terrorism.

The report suggests that radicalisation is taking place in British prisons at a rapid rate, especially in the eight high-security establishments where most terrorism offenders are detained.

However, newspaper reports the study’s findings as being dismissed by the Coalition Government:

“The Ministry of Justice said it did not agree that radicalisation was widespread within the prison system. A spokesman said: “We run a dedicated expert unit to tackle the risk posed by those offenders with violent extremist views and those who may attempt to improperly influence others.”"

The response smacks of complacency.  I trust the complacency does not extend to one of the other major findings that large-scale and co-ordinated attacks such as the 7 July bombings are likely to be replaced with terrorist assaults by highly motivated but poorly trained lone individuals whose lack of connection with any major terrorist organisation will make them more difficult for police or MI5 to detect.

RUSI, which is very well-connected and whose reports are normally highly respected, has produced a timely and important contribution to the discussion of the terrorist threat faced by the UK.  Its conclusions should be taken seriously and not brushed aside by the Government.

The Washington Post reports that the US Deputy Defense Secretary has publicly acknowledged what is being described as the most significant breach of U.S. military computers.

The cause was a flash drive inserted into a U.S. military laptop in the Middle East in 2008.

And the consequence was that the malicious code, which had been placed on the drive by a foreign intelligence agency, uploaded itself onto the network run by the U.S. military’s Central Command. Apparently, the code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control.

This disclosure was apparently part of a deliberate strategy to raise the awareness of the US Congress and the American people of the cyber-threat being faced by the USA.  Apparently, the Pentagon’s 15,000 networks and 7 million computing devices are being probed thousands of times daily and the US Government’s concern is that cyberwar is asymmetric and that traditional Cold War deterrence models of assured retaliation do not apply to cyberspace, where it is difficult to identify the instigator of an attack.

The problems faced by the Pentagon are no doubt faced – on a smaller scale – by the UK Ministry of Defence and the British armed services.  I do not, however, detect a similar openness about the threat by the UK’s Coalition Government – perhaps because the strategy to address the problem is nothing like as well-developed as it should be.

One of the disturbing features of the last few years has been the way in which terrorist techniques honed in the war zones of Iraq and Afghanistan have subsequently been used elsewhere in the world.

So a news article in Homeland Security Newswire should be considered not only for the horror of what it describes, but as a warning of a tactic that might be used by terrorists thousands of miles away.  The article reports that:

“The Taliban continues its violent campaign to push Muslim women back into Medieval times; in Afghanistan, the Taliban is pursuing a campaign against girls’ education; the organization’s latest tactics: poisonous gas attacks on girls’ schools, aiming to scare students and teachers; Taliban operatives launched eight poisonous gas attacks on girls schools since April, and earlier today it launched the ninth attack, this time against a girls high school.

Dozens of school girls and teachers were sickened today (Wednesday) by poison gas in Afghanistan, medical and government officials said. The latest incident, this one at a high school, is the ninth such case involving the poisoning of school girls, said Asif Nang, spokesman for the nation’s education ministry (“Taliban uses poisonous gas in attack on Kabul girls school,” 5 May 2010 HSNW).”

The BBC reports today on the loading of the first nuclear fuel at the Bushehr reactor in Iran tell us that the international community can be reassured on the basis that (1) the nuclear fuel rods are all being supplied by Russia and (2) the spent rods and waste will go back to Russia.

At the risk of sounding like an unreconstructed cold warrior, I have to confess to not finding this at all reassuring.

Why does Russia want to do this and what do they expect to get out of it?

And as for the waste, the work I have been doing in recent months on the safeguards (or lack of them) at reprocessing plants hardly makes any of this sound any better.

Please somebody persuade me that this is good news ….